Role assignment to a Managed HSM key not works

Cao Trong Thang 66 Reputation points
2020-11-25T02:59:19.637+00:00

Hi @JamesTran-MSFT , again :)
I have another question related to role assignment to an HSM key for a service principal.
I had assigned the "Managed HSM Administrator" role to a key for a service principal with the expectation that I can create a ClientSecretCredential for authentication to get the Key.
The problem is that I received an "AccessDenied" error instead.

This is the role assignment:
42481-roleassignment.png

Then tried to get the key:
TokenCredential credential = new ClientSecretCredential([My tenant ID], [Client ID of the TestApp], [Client secret]);
var keyClient = new KeyClient(new Uri("https://ctttesthsm.managedhsm.azure.net/"), credential);
var key = await keyClient.GetKeyAsync("identifytestrsakey").ConfigureAwait(false);

Result:
"Not authorized to access Microsoft.KeyVault/managedHsm/keys/read/action on https://ctttesthsm.managedhsm.azure.net/keys/identifytestrsakey"

Azure Key Vault
Azure Key Vault
An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.
1,285 questions
{count} votes

Accepted answer
  1. JamesTran-MSFT 36,621 Reputation points Microsoft Employee
    2020-11-30T22:41:47.723+00:00

    @Cao Trong Thang
    Thank you for following up on this! I reached out to our engineering team and will post their response below.

    Update:

    You granted permission to the application. You need to grant permission to the service principal of the app.

    1.Assuming you're trying to assign Service Encryption role to an application ID like 00000002-0000-0ff1-ce00-000000000000
    2.Get the objectID of the service principal:

    az ad sp show --id "00000002-0000-0ff1-ce00-000000000000" --query "objectId" -o "tsv"  
    

    3.Use the object ID from previous command to assign "Managed HSM Crypto Service Encryption" role over just one key, using the role-id (instead of Name): 33413926-3206-4cdd-b39a-83574fe37a1

    az keyvault role assignment create --hsm-name mhsmdemo2 --role "33413926-3206-4cdd-b39a-83574fe37a17" --scope /keys/jackrkey1 --assignee-object-id "bd8e522d-efb5-447e-a2aa-6f500446f2e1"  
    

    If you have any other questions, please let me know.
    Thank you for your time and patience throughout this issue.


    Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.


0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.